Washington (DC) - On October 29, 2008, a vigilant senior Unix engineer happened across a "logic bomb" that was allegedly planted by a contractor, Rajendrasinh Babubhai Makwana, who had worked in their Urbana, MD facility until October 24, 2008 when his contract was terminated. The script was set to activate on January 31, 2009 and would completely wipe all of Fannie Mae's 4,000 servers.

A common occurrence in the industry is the use of outdated software, (right ai-danno).. it's very possible this contractor was able to use a local root exploit.

Wow, where do I begin? It's like this gift was tossed down from heaven and landed in my lap- I promise after my digression I will comment on the subject at hand...

A) I've always made the point that in the networking industry it's been my experience that the most up-to-date router code is the most troublesome. It's about manufacturers trying to get the latest feature sets above their competitors, and in the process, not taking care of older code that needed to be improved, or just introducing new shoddy code. So 'new' = 'insecure and untested' more often than not. Some non-networking-examples:

- How long did it take for the Iphone to get hacked once it was introduced?
- How long did it take for Windows Vista to get compromised once it was released?
- How long did it take for my IPS's new code to be seen as more detrimental than useful after being installed this weekend? (the answer to that last one- about 10 minutes.)

B) And what is 'outdated software' anyway? If an application or Operating System (on any device, not merely networking devices) is patched for security issues, but no new features are added, is it considered outdated? Perhaps by some... not necessarily by me.

C) Perhaps some like to ride their networks by the seat of their pants. Maybe they've got the coolest features they may never even explore and the latest support for cards they will never personally own or use. But at least they can cling to the fact that they have "the latest", kinda like that person who feels the need to always be a 'first poster' on slashdot. It doesn't necessarily serve much purpose, but the person involved certainly feels cooler.

Personally, with regards to anything I even consider upgrading, I think, "What's in it for me?"
- Are there improvements for security that would actually benefit my situation?
- Are the features being introduced more glitzy and experimental than well-vetted and tested?
- Are the new features something I even need?
- Have those silly enough to use this before everyone else now running into issues (and if so, what are they so I can avoid them if I use the same software)?

When it comes to this situation, it probably had nothing to do with the version of code being run- it was probably more about the access level the person was given outright by the orgranization. Either the fault lies with insufficient policies or procedures to limit access by any employees (not just contract employees), or it lies with the people that failed to follow the policies and procedures in place.